[failsafeXinit] launches gnome-terminal or gedit as root without a password

This bug was fixed in the package xorg - 1:7.4~5ubuntu8

---------------
xorg (1:7.4~5ubuntu8) jaunty; urgency=low

  * Disable terminal to prevent root access (LP: #310126)

 -- Bryce Harrington <email address hidden> Sun, 21 Dec 2008 00:05:19 -0800

Thanks for the quick upload, but you’ve introduced a syntax error in /etc/gdm/failsafeXinit (empty shell functions are not allowed), breaking the failsafe menu entirely:

  run_terminal() {
  # Causes bug #310126
  # gnome-terminal
  }

This might be fortunate from a security standpoint, though, because “Open a terminal” is not the only possible attack on the menu. Some others that I found fairly quickly are
  Troubleshoot the error → Review the xserver log file → File → Open → /etc/passwd
  Troubleshoot the error → Review the startup errors → File → Open → /etc/passwd
  Troubleshoot the error → Edit configuration file → File → Open → /etc/passwd

And who knows what damage you might be able to do even with just dexconf or xorgconf (setting a malicious ModulePath?).

Basically, all options other than “Run Ubuntu in low-graphics mode for just this session” are fundamentally dangerous; they need to be password-protected.

No, there's no actual way to run that function from the UI. It is entirely commented out from the menu.

Feel free to attach a patch if you'd like different behavior.

Yes, the “Open a terminal” attack is gone now, but there are still other attacks that I mentioned above. The “Troubleshoot the error” option leads to a menu including three options that each launch gedit as root (“Review the xserver log file”, “Review the startup errors”, “Edit configuration file”). gedit can be used to edit the /etc/passwd file, for example, and compromise the system almost as quickly. I’ll retitle the bug to make the scope of the problem clearer.

These vulnerabilities are present in both Intrepid and Jaunty.

So do you have a patch to propose? Otherwise this may need to wait a bit.

We're closing this bug since it is has been some time with no response from the original reporter. However, if the issue still exists please feel free to reopen with the requested information. Also, if you could, please test against the latest development version of Ubuntu, since this confirms the bug is one we may be able to pass upstream for help.

This vulnerability has not gone away; failsafeXinit still allows an untrusted user to run gedit as root. I don’t have an ultimate solution, but removing the three vulnerable options would be a good first step. We could then open up this bug (or a new bug) so that other contributors can figure out how to add back this functionality in a secure way.

Here is a debdiff for Jaunty that simply removes the vulnerable options.

And an equivalent debdiff for Intrepid.

bpx needs to prompt for a root password if one exists. "sulogin" has a similar behavior.

For example:

SUSHELL=/path/to/bpx sulogin

This bug was fixed in the package xorg - 1:7.4~5ubuntu16

---------------
xorg (1:7.4~5ubuntu16) jaunty; urgency=low

  [Tormod Volden]
  * apport/source_xorg.py: Use grep directly instead of shelling out, and
    look in /proc/modules as well. Also only set 'fglrx-installed' if
    there was a definite match.

  [Bryce Harrington]
  * x11-common.links: Add apport support for a several more packages.
  * local/Xsession.d/60x11-common_localhost:
    - Rename from 60x11-localhost for consistency (LP: #340807)
    - Redirect stderr in an sh-safe fashion
  * x11-common.postinst.in, x11-common.preinst.in, x11-common.postrm.in:
    - Remove renamed 60x11-localhost; handle upgrade failures gracefully
  * local/dexconf, local/Failsafe/failsafeDexconf:
    - Add hooks for Sun's virtualbox (LP: #319373)
  * local/Failsafe/failsafeXinit:
    - Use zenity for viewing logs, and vt2 for console login
      (LP: #310126)
    - Make translatable (LP: #335678)
  * apport/source_xorg.py: Suppress warning about keyboard geometry on :0
    (LP: #315777)

 -- Bryce Harrington <email address hidden> Wed, 18 Mar 2009 13:54:27 -0700

edit_config() {
    backup_xorg_conf || return 1

    xorg_conf_tmp=$(mktmp "/tmp/xorg.conf.XXXXXXXX")
    cp /etc/X11/xorg_conf ${xorg_conf_tmp}
    zenity --text-info --editable --filename=${xorg_conf_tmp} --width=640 --height=480 > "/etc/X11/xorg.conf"
}

There is a typo on the cp line: /etc/X11/xorg_conf should be /etc/X11/xorg.conf .

Also, this will cause xorg.conf to be overwritten with an empty file if the user hits Esc at the zenity prompt. The last two lines should be replaced with
    zenity --text-info --editable --filename=/etc/X11/xorg.conf --width=640 --height=480 > "$xorg_conf_tmp" && \
      mv "$xorg_conf_tmp" /etc/X11/xorg.conf

Finally, are you SURE that a malicious user can’t gain any kind of unauthorized access by editing xorg.conf?

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.